I'm trying to achieve the following for our employees, contractors and guest.
Guests and Contractors should be allowed to access the internet after successful auth on the ISE guest portal login page.
contractors (ldap contractor group) -> webauth -> internet
guest (internal ise db via sponsorportal) - webauth -> internet
Employees should be allowed to register their devices after successful auth on the ISE portal login page and they should be allowed to access the internet once their device is registered. So they don't have to re-enter the credentials every 2 hours.
employee (ldap employee group) -> webauth -> nsp -> internet
In ISE i've created a custom portal with mobile device portal and self-provisioning flow enabled. At the moment I don't have any client provisioning Policy configured and I've set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
I'm currently experiencing problems with clients and they describe their problem as portal loop. when they enter their credentials they are redirected to the portal once again. I did move around some of the rules and it currently looks like this. At the moment i'm working remote and not able to replicate the problem myself. Any advice would be welcome and much appreciated.
Is there any available documention about the builtin attributes in ISE. I'm especially interested in network use EQUALS guest flow.
I'm facing similar problem as yours , but on wired . My contractor (I name it vendor) is redirect to guest portal , and when they login they were redirected to the portal again.
for the devices registration , I have set the Native Supplicant Provisioning Policy Unavailable: to Allow network acces.
my authorization rules as follows :
1- rules name : Vendor-wired : identity : registerddevices AND identitygroup: VENDOR authorization profile: VENDOR-ACCESS
2- rules name : WIRED-CWA : identity : any condition: device-type:SWITCH authorization profile: CWA-PORTAL
It looks like , when vendor is login , they are not hitting the first rule , although the device shows up in the registered devices , and the vendor account is in VENDOR identity group (local in ISE) , so they come back again to rules 2 , which redirect them to the CWA-PORTAL again .
Is this a distributed deployment? How many PSNs? Does the redurect URL point to a static IP?
What is the version and patch level for the ISE? WLC Code?
Best practice is not to set static IP in the redirect URL and let the PSN responding to
RADIUS to automatically be the one to which subsequent CWA requests are sent. Otherwise,
the other PSN will have no knowledge of the session and will loop as shown.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
in my case , it is wired and it is two nose deployment not distributed .
ise 1.2.1 with last patch
url redirection is working fine , supplicants provisioning is ok , device registration is also fine .
But after the user login he is redirected again to the portal .. The device is shown under registred devices , but the autho rule 2 is not being hit after user login .. The strange thing is that when I try again , the device registration portal ask again to register .. Although the device is under registred devices ...
Hi Patrick. It has been a while since I have done web based device provisioning but from what I remember, I had to create two individual web portals: 1 for standard guest access and 1 for the device provisioning. I had to do this because having the "provisioning flow" option enabled caused issues for standard guests that were not doing device onboarding.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :